The Dissection of a Rootkit

By Lisa Vaas  |  Print this article Print


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame

F-Secure Security Labs' new paper takes apart the dangerous and stealthy rootkit and tells us how helpless we now are against this increasingly popular form of attack.

Security analysts have been predicting that kernel rootkits, which cloak their activity by replacing a portion of a program's software kernel with modified code, are expected to continue to grow in frequency in 2007.

While rootkit-fighting technologies such as the PatchGuard kernel protection system built into 64-bit versions of Microsoft's new Windows Vista operating system are arriving, most PC users will still be left open to the attacks over the next twelve months, CA has said, and even experienced PC users are vulnerable to their sophisticated techniques.

F-Secure Security Labs has been tracking and dissecting kernel malware for years; this form of attack was first spotted as far back as 1999, in the form of the WinNT/Infis attack.

F-Secure researcher Kimmo Kasslin has made the findings available in a paper titled "Kernel Malware: The Attack from Within" (a PDF) as well as in a slide show (also a PDF).

Kasslin explains in detail what kernel malware is, how it works, and what makes its detection and removal so challenging. He also details two malware cases that use kernel-mode techniques to escape detection and to bypass personal firewalls.

Kernel rootkits are still a very small fraction of malware discovered, but Kasslin's paper provides a stark, graphical illustration of how their use has skyrocketed post-2004.

Why the sudden surge in this frightening mode of attack?

"The high rise in popularity of kernel malware can be mostly explained by the increased motivation for malware authors to hide their creations from detection as long as possible," Kasslin writes.

Click here to read more about rootkit tactics.

"To hide even better, they have started to use kernel-mode rootkit techniques as more and more documentation, examples and fully working examples with full source code has become publicly available. However, there are other motives for malware to move to kernel, probably [the] most important ones being firewall and anti-virus scanner bypassing."

Current security solutions are generally feeble protection, Kasslin says, given that a rootkit operating in full kernel mode (as opposed to reaching up into user mode to execute activity unavailable in kernel mode, also known as semi-kernel malware) has the same privileges as the operating system itself and can cut off firewalls and anti-virus software at the knees.

"This has already been seen with rootkits and their anti-detection engines," Kasslin writes. "After the rootkit notices that it is no longer able to hide from the rootkit detector and is going to [lose] the game, it changes tactics and starts to make a direct attacks against the detector. It might take a more aggressive approach and prevents the rootkit detector from starting. Or it could directly patch the rootkit detector's code to change its inner logic."

Is there hope? Kasslin offers little. "Current security solutions, including anti-virus scanners and firewalls, have not been designed to protect against kernel malware. Prevention might be the only solution," he writes in his slide show conclusion.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.

Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...